Always Apply the Latest Software Updates … Except When You Vote

As a vendor, we always strongly recommend that our customers run the current version of our products with the latest security patches installed. As security practitioners, we all know that running up to date software is an essential component of defending computers against the most common form of attacks. Recently, this belief was shaken during my first experience with electronic voting.

Last weekend, the French elected their representatives to the national assembly. I hold a dual citizenship, one of which is French. Having lived in the United States for many years, I qualified for a pilot program run by the French government allowing French citizens living outside of France to vote via the Internet to elect their representative at the National Assembly.

Electronic voting has been the subject of many debates and research among the security community. However, my bad experience with electronic voting had nothing to do with elaborate theories of statistics or anonymity, but everything to do with basic security measures.

The process started well:

First, French citizens living abroad were invited to register to vote over the Internet. I did so by logging in to my account on the French Consulate website.

Next, I received a confidential ID by postal mail along with a password by email. The email was not encrypted, but the ID in the letter was in fact a second password. The password was complex and physically protected with a metallic sticker. The use of two secrets sent independently through two different communication channels indicated that some thought had been given to security.

The focus on security was confirmed when I connected to vote on the government website. As a first step in the voting process, I was required to have my configuration checked in order to (according to the website) to verify that my computer met the minimum security requirements required to vote over the Internet.

The outcome of the verification astonished me. My configuration did not allow me to vote “in total security” on account of the configuration of my Java module. I could not resist and clicked on the link that offered me assistance in addressing the issue. I was astonished to see that even though I was running the latest version of Java (Java 1.7), the site required me to disable it and to downgrade to the previous version (Java 1.6). In short, I had to downgrade to an older version to get “total security”.

Upon checking the Java website to see if Oracle was making security recommendations different from the rest of the industry, I was reassured to see that, like every other vendor, Oracle recommends to always use the latest version of Java because, among other things, it contains “vulnerability fixes”.

This marked the end of my electronic voting experiment. I did not proceed any further and I did what millions of French citizens have done for centuries; I went to the polls, took a piece of paper with the name of the candidate for whom I wanted to vote, put it in a sealed envelope that I deposited in the ballot box, and voilà, no software downgrade nor hanging chads to worry about.

About the Author: Eric Baize

Throughout his career, Eric Baize has been passionate about building security and privacy into systems and technology from design to deployment. He currently leads Dell EMC’s Product Security Office and serves as Chairman of SAFECode, an industry-led non-profit organization dedicated to advancing software and supply chain security best practices. At Dell EMC, Eric leads the team that sets the standards and practices for all aspects of product security for the product portfolio: Vulnerability response, secure development, consistent security architecture, and code integrity. Eric joined Dell through its combination with EMC where he built EMC’s highly successful product security program from the ground up and was a founding member of the leadership team that drove EMC’s acquisition of RSA Security in 2006. He later led RSA’s strategy for cloud and virtualization. Prior to joining EMC in 2002, Eric held various positions for Groupe Bull in Europe and in the US. Eric has been a member of the SAFECode Board of Directors since the organization was founded in 2007 and also serves on the BSIMM Board of Advisors. He holds multiple U.S. patents, has authored international security standards, is a regular speaker at industry conferences and has been quoted in leading print and online news media. Eric holds a Masters of Engineering degree in Computer Science from Ecole Nationale Supérieure des Télécommunications de Bretagne, France and is a Certified Information Security Manager. Follow Eric Baize on Twitter: @ericbaize